Network Settings
The network section of the sshd2_config file should look like the following:
Port 443
ListenAddress 0.0.0.0
RequireReverseMapping no
ResolveClientHostName yes
MaxBroadcastsPerSecond 0
NoDelay yes
KeepAlive yes
The network section of the SSH configuration GUI should look like Figure 2.3.
Figure 2.3 Network screen from the SSH server configuration tool.
54 Chapter 2
Table 2.19 describes the Network options available for the SSH server.
Table 2.19 Options in the Network Section (Windows)
OPTION DESCRIPTION
Port Sets the port number for SSH to listen on. Default
port is 22; however, listening on several ports,
including other nonstandard ports, such as 80, 443,
or 8080, may be optimal since business travelers
may not be able to make outbound connections on
port 22, but since port 80 or 443 is usually
accessible. To listen on multiple ports, add the
following lines:
Port 22
Port 80
Port 443
Port 8080
ListenAddress Sets the IP address to have the SSH daemon listen
on. The default, which is 0.0.0.0, will enable the
SSH services on all interfaces. If there are interfaces
where SSH should not be listening, such as the

external interface of a firewall, remove 0.0.0.0
and add the appropriate IP addresses. To listen on
only select interfaces, add the following lines:
ListenAddress 172.16.1.1,192.168.0.1
ListenAddress 10.0.0.1
RequireReverseMapping Enables (yes) or disables (no) the requirement of
DNS lookups to succeed, in order to work with
AllowHost and DenyHost entries. If enabled and the
DNS lookup fails, the request is denied. If disabled
and the DNS lookup fails, the IP address in
AllowHosts and DenyHosts is checked.
ResolveClientHostname Enables (yes) or disables (no) the server resolving
(sshd2_config file only) (via DNS) the client’s IP address.
MaxBroadcastPerSecond Identifies the number of UDP broadcasts the server
(sshd2_config file only) should handle per second. The default value, which
is zero, has no broadcast handled.
(continued)
SSH Servers 55
Table 2.19 (continued)
OPTION DESCRIPTION
NoDelay Enables (yes) or disables (no) the socket option for
TCP_NODELAY.
KeepAlive Enables (yes) or disables (no) whether the SSH
server should send KeepAlive packets to the SSH
clients. This value helps prevent hanging sessions by
determining if the client on the other side is still
running and hasn’t crashed or blue-screened.
Crypto Settings
The Crypto section of the sshd2_config file should look like the following:
Ciphers AnyStdCipher

MACs AnyStdMac
RekeyIntervalSeconds 0
RandomSeedFile “server_random_seed”
The Encryption section of the SSH configuration GUI should look like
Figure 2.4.
Figure 2.4 Encryption screen from the SSH server configuration tool.
56 Chapter 2
Table 2.20 describes the Encryption options available for the SSH server.
Table 2.20 Options in the Encryption Section (Windows)
OPTION DESCRIPTION
Ciphers Lists the types of cipher-text to be used to encrypt
the session. Triple-DES (3DES), Blowfish, Arcfour,
Twofish, CAST – 128, and DES are supported. More
global options can be set, such as Any, Anystd,
anycipher, and anystdcipher. Any and anystd allow
standard ciphers; anycipher allows any ciphertext;
anystdcipher allows any cipher listed in the IETS SSH
draftA setting of none offers no cipher.
MACs Message Authentication Code (MAC) is a hash
algorithm that verifies the integrity of the data
before and after transmission. The algorithms
supported are SHA1, MD5, SHA1-96, and MD5-96.
Multiple MACs can also be set.
RekeyIntervalSeconds Specifies the amount of time before the key-
exchange process is executed again. The default is
3600 seconds, which is one hour. The key-exchange
process can be disabled by setting the value to zero.
RandomSeedFile Identifies the location of the random seed file. This
file is used to generate randomness for the SSH
server.

Users Settings
The Users section of the sshd2_config file should look like the following:
LoginGraceTime 600
PermitEmptyPasswords no
UserConfigDirectory “%D/.ssh2”
AuthorizationFile “authorization”
PrivateWindowStation yes
The User Authentication section of the SSH configuration GUI should look
like Figure 2.5.
SSH Servers 57
Figure 2.5 User Authentication screen from the SSH server configuration tool.
Furthermore, the User Authentication–Password section should look like
Figure 2.6.
Lastly, the User Authentication–Public Key section should look like Fig-
ure 2.7.
Figure 2.6 User Authentication–Password screen from the SSH server configuration tool.
58 Chapter 2
Figure 2.7 User Authentication–Public Key screen from the SSH server configuration tool.
Table 2.21 describes the User Authentication options available for the SSH
server.
Table 2.21 Options in the User Authentication Section (Windows)
OPTION DESCRIPTION
LoginGraceTime The amount of time, in seconds, the user has to
complete the log in process after initiating an
authentication request. Values range from zero, no
limit, to 600 seconds.
PermitEmptyPasswords Allows (yes) or rejects (no) the ability for users to
have empty passwords. In most situations, this
should be no.
UserConfigDirectory Identifies the locations of user-specific configuration

(sshd2_config file) data, such as keys and identification files. The
default is the .ssh2 folder in the users’ home
directory, such as /home/<username>/.ssh2 or
Documents and Settings\<username>\.ssh2 (%D is
user home dir; %U is user login name). More than
one location can be identified for configuration data.
(continued)
SSH Servers 59
Table 2.21 (continued)
OPTION DESCRIPTION
User key directory (GUI) Identifies the location of the authorization file,
usually named authorization and located in the
users’ home directory on the SSH server. This file is
used by the SSH server to indicate which public keys
are authorized for acceptance during the process of
authentication. For example, if a user has two public
keys for authentication, such as id_dsa_2048_a.pub
and id_rsa_2048_a.pub, the contents of the
authorization file will look like the following:
Key id_dsa_2048_a.pub
Key id_rsa_2048_a.pub
Note: The public keys listed in the authorization file
need to be in the users’ home directory also,
discussed further in Chapter 4.
PrivateWindowStation Enables (yes) or disables (no) any terminal created
(sshd2_config file only) to be in a fully private window or not.
Server Public Key Configuration
The Server Public Key Configuration section of the sshd2_config file should
look like the following:
# HostKeyFile hostkey

# PublicHostKeyFile hostkey.pub
The Identity section of the SSH configuration GUI should look like Fig-
ure 2.8.
Table 2.22 describes the Server Public Key options available for the SSH
server.
Table 2.22 Options in the Server Public Key Configuration Section (Windows)
OPTION DESCRIPTION
HostKeyFile Identifies the location of the private host-key file.
The default location is in the /etc/ssh2 directory,
located on the local file system.
PublicHostKeyFile Identifies the location of the public host-key file. The
default is hostkey.pub, located on the local file
system.
60 Chapter 2
Figure 2.8 Identity screen from the SSH server configuration tool.
Server Certificate Configurations
The Server Certificate Configuration section of the sshd2_config file should
look like the following:
# HostKeyFile “”
# HostCertificateFile “”
# Pki “”
# MapFile “”
# LDAPServers
# SocksServer
# PkiDisableCRLs no
Table 2.23 describes the Server Certificate options available for the SSH
server.
Table 2.23 Options in the Server Certificate Configuration (Windows)
OPTION DESCRIPTION
HostKeyFile Identifies the location of the private host-key file.

The default is hostkey, located on the local file
system.
HostCertificateFile Identifies the location of the certificate file.
PKI Enables (yes) or disables (no) user authentication
using certificates.
(continued)
SSH Servers 61
Table 2.23 (continued)
OPTION DESCRIPTION
MapFile Identifies the keyword-mapping file for the
preceding PKI keyword.
LDAPServers Identifies the LDAP server to be used for CRLs.
SocksServer Identifies the name of the SOCKS server, which is
used for certificate CRL on remote servers.
PKIDisableCRLs Disables CRL checking.
Tunneling Configurations
The Tunneling section of the sshd2_config file should look similar to the
following:
AllowTcpForwarding no
# AllowTcpForwardingForUsers
# DenyTcpForwardingForUsers
The Tunneling section of the SSH configuration GUI should be similar to
Figure 2.9.
Figure 2.9 Tunneling screen from the SSH server configuration tool.
62 Chapter 2
Table 2.24 describes the Tunneling options available for the SSH server.
Table 2.24 Options in the Tunneling Section (Windows)
OPTION DESCRIPTION
AllowTcpForwarding Enables (yes) or disables (no) the ability to forward
ports, both locally and remotely for all users.

AllowTcpForwardingForUsers Enables the ability for specific users to forward
ports, both locally and remotely. This setting accepts
usernames and patterns, such as DNS patterns.
DenyTcpForwardingForUsers Disables the ability for specific users to forward
ports, both locally and remotely. This setting accepts
usernames and patterns, such as DNS patterns.
Authentication Methods
The Authentication section of the sshd2_config file should look like the
following:
PasswordGuesses 3
AllowedAuthentications “publickey,password,”
RequiredAuthentications “publickey,”
AuthInteractiveFailureTimeout 2
AuthKbdInt.NumOptional 0
# AuthKbdInt.Optional “”
# AuthKbdInt.Required “”
AuthKbdInt.Retries
Table 2.25 describes the Authentication options available for the SSH server.
Table 2.25 Options in the Authentication Section (Windows)
OPTION DESCRIPTION
PasswordGuesses Identifies the number of attempts a user is given
(Shown in Figure 4.5) before being disconnected if a valid authentication
is not submitted.
AllowedAuthentications Identifies the types of authentication methods that
(Shown in Figure 4.6 and are valid. Options include password, publickey, and
4.7 with the Password hostbased.
Authenication drop down
box or the Public Key drop
down box)
(continued)

SSH Servers 63
Table 2.25 (continued)
OPTION DESCRIPTION
RequiredAuthentications Identifies the types of authentication methods that
(Shown in Figure 4.6 and are required for authentication. If the value is empty,
4.7 with the Password any values in AllowedAuthentication will be
Authenication drop down honored.
box or the Public Key
drop down box)
AuthInteractiveFailureTimeout Identifies the number of failures a keyboard-
(sshd2_config file only) interactive session may have.
AuthKbdInt.NumOptional Identifies the number of submethods required
(sshd2_config file only) before valid authentication.
AuthKbdInt.Optional Identifies the optional submethod that Keyboard-
(sshd2_config file only) Interactive will use. The options can be SecureID,
plugin, and password.
AuthKbdInt.Required Identifies the required submethods that must be
(sshd2_config file only) present in order for valid authentication.
AuthKbdInt.Retries Identifies the number of retries a user can attempt
(sshd2_config file only) the keyboard-interaction process in order to
authenticate to the SSH server.
Host Restrictions
The Host Restrictions section of the sshd2_config file should look like the
following:
# AllowHosts
# DenySHosts
The Host Restrictions section of the SSH configuration GUI should look like
Figure 2.10.
64 Chapter 2
Figure 2.10 Host Restrictions screen from the SSH server configuration tool.

Table 2.26 describes the Host Restrictions options available for the SSH
server.
Table 2.26 Options in the Host Restrictions Section (Windows)
OPTION DESCRIPTION
AllowHosts Identifies the only hostnames, IP addresses, and/or
patterns allowed to log in to the SSH server
DenyHosts Identifies the hostnames, IP addresses, and/or
patterns not allowed to log in to the SSH server
User Restrictions
The User Restrictions section of the sshd2_config file should look like the
following:
# AllowUsers
# DenyUsers
# PermitRootLogin
PermitUserTerminal
The User Restrictions section of the SSH configuration GUI should look like
Figure 2.11.
SSH Servers 65
Figure 2.11 User Restrictions screen from the SSH server configuration tool.
Table 2.27 describes the User Restriction options available for the SSH
server.
Table 2.27 Options in the User Restrictions Section (Windows)
OPTION DESCRIPTION
AllowUsers Identifies the only users allowed to log in to the SSH
server. This entry can contain a list of users,
separated by a comma, or a pattern-matching
variable.
DenyUsers Identifies the users not allowed to log in to the SSH
server. This entry can contain a list of users,
separated by a comma, or a pattern-matching

variable.
PermitRootLogin Enables (yes) or disables (no) the ability for the root
user to log into the SSH server. As best practice, this
setting should be set to no, forcing admin-users to
su (switch user) to root. If the root account must be
able to log in directly, the value of “nopwd” can
allow root to log in directly, but with only public key
authentication.
PermitUserTerminal Enables (yes) or disables (no) the ability for a user
to access a terminal session. If this option is set to
admin, only administrators can access the terminal.
This admin option works well for SFTP file servers
giving the remote user access to cmd.exe.
66 Chapter 2
Subsystem Definitions
The Subsystem Definitions section of the sshd2_config file should look like the
following:
subsystem-sftp sftp-server2.exe
SftpLogCategory 16
Sftp-DirList “HOME=%D”
Sftp-Home “%D”
Sftp-AdminDirList “HOME=%D, C:=C:, D:=D:”
# Sftp-AdminUsers
The SFTP Server section of the SSH configuration GUI should look like Fig-
ure 2.12.
The SFTP Server–Power Users section should look like Figure 2.13.
Figure 2.12 SFTP Server screen from the SSH server configuration tool.
SSH Servers 67
Figure 2.13 SFTP Server–Power Users screen from the SSH server configuration tool.
Table 2.28 describes the SFTP options available for the SSH server.

Table 2.28 Options in the Subsystem Definitions (Windows)
OPTION DESCRIPTION
subsystem-sftp Identifies the path for the SFTP (secure file transfer
(sshd2_config file only) protocol) subsystem to be used with SSH; usually
located in Program Files/SSH Secure Shell Server.
Sftplogcategory (sshd2_config) Specifics the SFTP operations that are logged in the
Event Log categories (GUI on Windows Event Viewer. The default value is 16,
Figure 4.12) which only logs user logins and logouts.
Sftp-DirList (sshd2_config) Identifies the directories available for a regular SFTP
Accessible Directories user. Format is virtual dir=real dir. This setting will
(GUI on Figure 4.12) restrict any SFTP access to only the specific
directories. This option works well with secure
file servers by restricting users to only a certain
share or folder on a remote file server, such as
D:\applications, and disabling access to core
operating system folders, such as c:\winnt\
system32\config, discussed further in Chapters 6
and 7.
Sftp-Home (sshd2_config) Identifies the SFTP home directory for all users.
User Home Directory
(GUI on Figure 4.12)
68 Chapter 2
Table 2.28 (continued)
OPTION DESCRIPTION
Sftp-AdminDirList
Accessible Directories Identifies the available directories for administrators.
(GUI on Figure 4.13)
Sftp-AdminUsers Identifies the usernames that are SFTP
Power Users administrators.
(GUI on Figure 4.13)

VanDyke Software’s VShell SSH Server
VanDyke Software’s VShell SSH server is available only for Windows envi-
ronments. The VShell server uses a GUI to display, edit, and report configura-
tion options for the SSH server. The following paragraphs address the various
settings and capabilities of the VShell SSH server.
General Settings
To view the configuration screen (see Figure 2.14), browse to the VShell short-
cut, Start ➪ Program ➪ VShell ➪ VShell.
Figure 2.14 VShell configuration screen.
SSH Servers 69
In the configuration screen, highlight the general section first. The general
section describes some of the global options for the SSH server, which are
listed in Table 2.29.
Table 2.29 Options in the General Section (VShell)
OPTION DESCRIPTION
ListeningPort Sets the port number for SSH to listen on. Default
port is 22; however, listening on several ports,
including other nonstandard ports, such as 80, 443,
or 8080, may be optimal since business travelers
may not be able to make outbound connections on
port 22, but since port 80 or 443 is usually
accessible. To listen on multiple ports, add the
following lines:
Port 22
Port 80
Port 443
Port 8080
Enable Keep Alives Enables (check) or disables (no check) whether the
SSH server should send KeepAlive packets to the
SSH clients. This value helps prevent hanging

sessions by determining if the client on the other
side is still running and hasn’t crashed or blue-
screened.
Disconnect idle session Sets the amount of time, in minutes, the session can
after __minutes remain unused before it is automatically closed.
MOTD file Identifies the path to the MOTD (Message of the
day) file (Program Files\VShell\) to be displayed at
login. This is very useful since messages can be
displayed to all users who are logging in to the
system, such as system downtime, security issues,
and so on.
Command Shell Identifies the executable that will provide terminal
access to the remote user, which is usually the
command prompt program (cmd.exe).
Command arguments Identifies any arguments or flags to provide with the
command shell specified previously.
General–Host Key
Highlight the General–Host Key section next (see Figure 2.15). The General–
Host Key section describes the host-key location as well as the fingerprint.
Various options are given in Table 2.30.
70 Chapter 2
Figure 2.15 General–Host Key screen from the VShell server.
Table 2.30 Options in the General–Host Key Section (VShell)
OPTION DESCRIPTION
Filename Identifies the path to the host key for the VShell SSH
server
Fingerprint Displays the fingerprint for the VShell SSH server
Generate Host Key A wizard that creates a host key for the VShell SSH
server
General–Key Exchanges

Highlight the General–Key Exchanges section next (see Figure 2.16). The
General–Key Exchanges section describes the key exchange options. Various
options are given in Table 2.31.
SSH Servers 71
Figure 2.16 General–Key Exchanges screen from the VShell server.
Table 2.31 Options in the General–Key Exchanges Section (VShell)
OPTION DESCRIPTION
Algorithms Identifies the algorithms available for the key-
exchange process
Re-exchanges Enables (check) or disables (no check) the re-
exchange of keys. If checked, an interval, in minutes,
should be selected
General–Cipher
Highlight the General–Cipher section next (see Figure 2.17) The General–
Cipher section describes the encryption options, which are listed in Table 2.32.
72 Chapter 2
Figure 2.17 The General–Cipher screen from the VShell server.
Table 2.32 Options in the General–Cipher Section (VShell)
OPTION DESCRIPTION
Cipher Identifies the types of cipher-text to be used to
encrypt the session. AES-128, AES-192, AES-256,
Twofish, Blowfish, Triple-DES (3DES), RC4, and no
encryption (none) are supported
General–MAC
Highlight the General–MAC section next (see Figure 2.18). The General–MAC
section describes the hash options, which are listed in Table 2.33.
SSH Servers 73
Figure 2.18 General–MAC screen from the VShell server.
Table 2.33 Options in the General–MAC Section (VShell)
OPTION DESCRIPTION

MAC Message Authentication Code (MAC) is a hash
algorithm used to verify the integrity of the data
before and after transmission. The algorithms
supported are SHA1, MD5, SHA1-96, and MD5-96.
No hash can also be set.
General–Compression
Highlight the General–Compression section next (see Figure 2.19). The
General–Compression section describes the compression options, which are
listed in Table 2.34.
74 Chapter 2
Figure 2.19 General-Compression from the VShell server.
Table 2.34 Options in the General-Compression Section (VShell)
OPTION DESCRIPTION
Enable Compression Enables (checkbox selected) or disables (checkbox
not selected) the use of compression during the
SSH session.
Server Compression Level If Enable Compressed is checked, this sets the level
of compression to be used for the SSH session.
Authentication
Highlight the Authentication section next (see Figure 2.20). The Authentica-
tion section describes the key exchange options, which are listed in Table 2.35.
SSH Servers 75
Figure 2.20 Authentication screen from the VShell server.
Table 2.35 Options in the Authentication Section (VShell)
OPTION DESCRIPTION
Limit failed attempts to The number of failed attempts a user can have
before the session is disconnected.
Time authentication after Sets the amount of time the user has to complete
the authentication process. Specifically, from the
time the user initiates the connection to the time

the user enters a username/password or private-key
password.
Required authentication Requires a password for authentication.
methods – Password
Required authentication Requires a public key for authentication.
methods – Public Key
Required authentication Sets the number of times a user can log in with only
methods – Public Key a password in order to upload a public key. This
Uploads feature is very useful if public-key authentication is
the only method for authentication, giving the user a
method to upload a public key.
Public key folder The location where the users’ public keys will be
stored. The default is Program
Files\VShell\Publickey\<username>.
76 Chapter 2
Access Control
Highlight the Access Control section next (see Figure 2.21). The Access Control
section describes the rights and privileges for different users, which are listed
in Table 2.36.
Table 2.36 Options in the Access Control Section (VShell)
OPTION DESCRIPTION
Name Identifies the names or groups allowed to access
the VShell SSH server. This option is very valuable
since it can limit only a specific amount of users
and/or groups without exposing SSH to all users on
the machine.
Permissions This option allows or denies specific rights to be
associated with a user, such as log in, shell, remote
execution, SFTP, Port Forwarding, and Remote Port
Forwarding. This option provides a lot of value that

is absent from other SSH implementations. For
example, if SSH is being deployed as a secure
management tool, a secure file transfer tool, and a
remote access solution, using only one VShell SSH
service, users in the Administrators group can be
given Shell and Port Forwarding rights to manage
the server. Furthermore, users in the File Transfer
group can be explicitly denied rights to everything,
including Shell, but allowed SFTP rights. This
protects against users having a command prompt
(cmd.exe) to the remote server, but having full file
access to the specified directory (for example,
d:\share\applications). Lastly, the Remote Access
group can be explicitly denied access to everything,
such as shell and SFTP, but granted access to Port
Forwarding, which would allow them to tunnel
ports, such as mail ports, for remote access but
restrict them from getting a command prompt or file
access to the VShell SSH server.
SSH Servers 77
Figure 2.21 Access Control screen from the VShell server.
SFTP Section
Highlight the SFTP section next (see Figure 2.22). The SFTP section describes
the secure file transfer options, which are listed in Table 2.37. These options are
also excellent because they allow the control of specific folders to publish to
SFTP users. This can help secure a file server by allowing only authorized
directories on a file server, such as d:\Common files\, while restricting the
users from sensitive operation system files and folders, such as c:\winnt\.
This option allows an SSH server to provide full file-system security over an
SFTP session without any worries that the user may be able to access and

download other files that may be on the SSH server.
Table 2.37 Options in the SFTP Section (VShell)
OPTION DESCRIPTION
SFTP Root Sets the SFTP root directory to allow users to access
SFTP Root <Directory> Shows the permissions of the SFTP root directory
that has been specified
78 Chapter 2